Manager's Guide to Compliance E-Book

Contents

Preface

Acknowledgments

Chapter 1: U.S. SOX Section 401: Off-Balance Sheet Arrangements

Introduction

Definition of OBS Arrangements

OBS Entities

Purchase Orders

Leases

Derivatives

Contingent OBS Obligations

Endnotes

Chapter 2: U.S. SOX Section 404: Internal Controls

Introduction

Definition of Internal Controls

Documentation of Internal Controls

Endnotes

Chapter 3: U.S. SOX Section 406: Code of Ethics

Endnotes

Chapter 4: U.S. SOX Section 409: Real-Time Reporting of Material Changes

Introduction

Definition of Real-Time Reporting of Material Changes

Endnotes

Chapter 5: U.S. SOX Impact on Privately Held Companies and Nonprofits

Endnotes

Chapter 6: U.S. SOX Impact on Small U.S. Companies

Endnotes

Chapter 7: U.S. SOX Impact on Foreign Companies

Endnotes

Chapter 8: U.S. Government’s Version of U.S. SOX: OMB Circular A-123

Overview of OMB Circular A-123

A New Federal Approach to Internal Control and Risk Management

Federal Standards for Internal Controls

Internal Control over Financial Reporting

Governing Laws and Enforcement

Summary

Endnotes

Chapter 9: U.S. Healthcare Efforts to Improve Internal Controls: U.S. HIPAA

Endnotes

Chapter 10: Bankers’ and Insurers’ Efforts to Improve Internal Controls

Basel II Improves Banking’s Internal Controls

Basel II Versus SOX

Basel II in the Americas

Solvency II Improves Insurers’ Internal Controls

Common Elements of Basel II and Solvency II

The Gramm-Leach-Bliley Financial Modernization Act (GLB)

Endnotes

Chapter 11: Australia, Canada, and UK Efforts to Improve Internal Controls

Australia’s ASX 10 Principles of Good Corporate Governance

Canada’s 52-109 and 52-111

The UK’s Turnbull Guidance and Combined Code

Endnotes

Chapter 12: EU Efforts to Improve Internal Controls: OECD Principles

Introduction to the OECD

Benchmarking in the OECD Principles

Endnotes

Chapter 13: Global GAAP (IFRS) and Global Reporting Language (XBRL)

International Financial Reporting Standards (IFRS)

Summary

Extensible Business Reporting Language (XBRL)

Endnotes

Chapter 14: Compliance and Internal Controls Impact on Outsourcing

Endnotes

Chapter 15: Civil and Criminal Penalties for Noncompliance

U.S. Penalties

EU and OECD Penalties

Endnotes

Chapter 16: Business Penalties for Noncompliance: A Material Weakness

Endnotes

Chapter 17: Revenue Recognition Requirements: U.S. SAB 101 and 104

Disclosure Requirements

Endnotes

Chapter 18: Data Retention Requirements

Introduction

SOX Section 802

HIPAA

European Union

Endnotes

Chapter 19: Compliance and Internal Control Software

Auditor Support Software

Automated Internal Control Enforcement Software

Additional Software to Support Compliance

Software and Technology Best Practices To Support Compliance

Endnotes

Chapter 20: Auditing Internal Controls

Introduction

Auditing Methodology: Sample P2P Questionnaire

Auditing Methodology: Sample P2P Flowcharts

Auditing Methodology: Sample Case Study

Introduction

Auditing Methodology: Sample P2P Testing

Auditing Methodology: Sample P2P Remediation Matrix

Endnotes

Chapter 21: Best Practices in Internal Controls: Enterprise Risk Management

Events—Risks and Opportunities

Achievement of Objectives

Components of Enterprise Risk Management

Endnote

Chapter 22: Best Practices in Internal Controls: IT Risk Management & SDLC (NIST 800-30)

Endnote

Chapter 23: Best Practices in Internal Controls: Mapping COBIT to COSO I, COSO II, & PCAOB

Chapter 24: Best Practices in Internal Controls: COBIT IT Control Objectives

Chapter 25: Best Practices in Compliance and Internal Controls: ASX 10 Principles

Principle 1: Lay Solid Foundations for Management and Oversight

Principle 2: Structure the Board to Add Value

Principle 3: Promote Ethical and Responsible Decision Making

Principle 4: Safeguard Integrity in Financial Reporting

Principle 5: Make Timely and Balanced Disclosure

Principle 6: Respect the Rights of Shareholders

Principle 7: Recognize and Manage Risk

Principle 8: Encourage Enhanced Performance

Principle 9: Remunerate Fairly and Responsibly

Principle 10: Recognize the Legitimate Interests of Stakeholders

Endnotes

Chapter 26: Best Practices in Internal Controls: Segregation of Duties (SOD)

Introduction

SOD in a Multioperational Environment (Shared Services)

SOD Over Time

Three-Way SOD

Hierarchical SOD (HSOD)

Best Practices in Software Tools to Enforce SOD

Endnotes

Chapter 27: Best Practices in Internal Controls: Case Studies

Item/Parts Master Control Case Study

Supplier Master Control Case Study (Courtesy of Koti Ancha)

Spend Visibility and Control Case Study (Courtesy Koti Ancha)

Sales and Purchase Order Control Case Study

Financial VS. Actual Inventory Accuracy Case Study

After-The-Fact POS Case Study

Chapter 28: Best Practices in Compliance Project Management

Common Compliance Project Elements

Compliance Project Checklist

Compliance Project Roles and Responsibilities

Six Sigma Approach

Chapter 29: Best Practices in Governance and Ethics

Endnote

Chapter 30: Costs versus Benefits and the Business Reaction

Cost Estimates

Benefit Estimates

Conclusion

Endnotes

Appendix A: Frequently Asked P2P Questions

Appendix B: Links to Referenced Organizations and Documents

Glossary

Index

Copyright © 2006 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

For more information about Wiley products, visit our Web site at http://www.wiley.com.

Library of Congress Cataloging-in-Publication Data

Tarantino, Anthony, 1949-

Manager’s guide to compliance : Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB A-123, ASX 10, OECD principles, Turnbull guidance, best practices, and case studies / Anthony Tarantino.

p. cm.

Includes index.

ISBN-13: 978-0-471-79257-4 (cloth)

ISBN-10: 0-471-79257-8 (cloth)

1. Accounting—Law and legislation—United States. 2. Auditing, Internal—Law and legislation—United States. 3. Disclosure of information—Law and legislation—United States. 4. Accounting—Standards. 5. Auditing, Internal—Standards. I. Title.

KF1357.T37 2006

346.73'06648--dc22

2005034272

Dedicated to Ted and Allie

NOTE TO THE READER

In providing the information contained in this book, the author and contributors are not engaged in rendering legal or other professional advice and services. As such, this text should not be used as a substitute for consultation with professional, legal, or other competent advisers. All information is provided herein “as is.”

Preface

The massive U.S. corporate scandals of the last several years have led to a huge change in the way organizations are governed. At its heart was a failure of leadership, ethics, and morality on several levels, which led to a breakdown in investor confidence. The failures occurred among corporate executives, boards of directors, regulatory agencies, rating agencies, and the press. One could argue this was caused by a lack of virtue and a breaking of a social contract between organizations (public and private) and those who invest in and rely on them. These are age-old concepts. In his Analects, the great Chinese sage Confucius (551–479 B.C.) argued virtue was the key characteristic of superior leadership. Virtue provides a moral power that allows one to win a following without resorting to physical force and enables a leader to maintain good order. Mencius (372–289 B.C.), is often referred to as the second great Chinese sage, and he developed the notion of a social contract in which one rules by a mandate of heaven. If a leader broke the social contract, then his followers would be absolved of all loyalty and might be required to overthrow him. Enron, WorldCom, Parmalat, Ahold, and others broke the mandate of heaven in corporate America and Europe and exposed the lack of virtue in those entrusted with good corporate governance.

These events have spawned a move toward more robust compliance on a global level, which will require much improved internal controls and will change the nature of business in fundamental ways. The struggle for improved compliance is nothing new. Investors have always sought greater transparency as organizations have sought to limit transparency to protect competitive information. Scandals have always acted as a catalyst to force improved corporate governance and transparency. The South Sea Bubble scandal in the early 1700s fostered improved accounting standards in British companies. U.S. states began enacting blue-sky laws in the early 1900s as the result of shady stock promotions. Of course, the greatest reforms came as a result of the great stock market crash of 1929 and depression during the 1930s. This led to the passage of federal security legislation in 1933 and 1934 and the creation of the Securities and Exchange Commission (SEC).1 Reforms have continued, but were greatly accelerated by scandals of the late 1990s. So there is little chance for a significant rollback in compliance requirements, especially when most investors do not place much faith in corporate boards to provide viable oversight. A Wall Street Journal/Harris poll found about two-thirds of investors expressing doubts in the ability of corporate boards of directors to provide effective oversight.2

Many skeptics have made analogies with Year 2000 (Y2K) and International Organization for Standardization (ISO) certifications, suggesting that this is only a passing fad or an American-based over-reaction to Enron-type scandals. Though the argument about an overreaction has some merit, this is no passing fad. Though the U.S. Sarbanes-Oxley Act (SOX) has received the lion’s share of attention, initiatives are underway in almost every global region and industry to improve transparency in financial reporting. In spite of ongoing complaints from U.S. companies above excessive compliance costs, the Wall Street Journal/Harris online poll found that most U.S. investors still believe corporate governance regulations remain too lenient. The same poll found only 6% of investors believing corporate governance to be too strict. This skepticism about the effectiveness of corporate governance has led nearly one-third of investors to reduce or to divest their stake in various companies due to concerns about the quality of their corporate governance.3

The reasons for the wave of compliance initiatives and the need for improved internal controls are simple. We are fast approaching a global marketplace in which investors will demand a level playing field in comparing financial results whether companies or industries are based in the United States, the European Union (EU), Russia, China, or other Third World countries. Privates and nonprofits are feeling the pressure to improve internal controls from their insurers and bankers if they want to get the most competitive rates. This is not to say bumps will not occur along the way. Years of sloppy business practices, weak internal and external audits, and lackluster enforcement will make this a painful process. In Third World countries where most businesses are family run and/or closely held, this will present additional challenges.

A major debate is underway as to whether mandatory government regulations with severe criminal and criminal penalties, such as SOX, are needed to improve governance and internal controls, or whether principles-based guidelines, advocated in Europe, will suffice. New York’s Attorney General, Eliot Spitzer, has referenced President Teddy Roosevelt, who advocated 100 years ago that government alone must oversee marketplaces and that self-regulation was doomed to fail. “Teddy Roosevelt understood the marketplace . . . that in order to preserve dynamism in the marketplace there needed to be that force to ensure competition and a level playing field,” he says. “That’s the role we play on Wall Street. That’s what we’ve done in terms of labor markets and the environment.”4

The major U.S. scandals at Enron, Tyco, WorldCom, Riggs Banks, Fannie Mae, ImClone, HealthSouth, Marsh & McClennan, and European scandals at Ahold and Parmalat would suggest the futility of voluntary measures, but it is still early in the process and not yet clear if SOX will have the desired effect and the benefits will outweigh the costs. Post-SOX scandals such as Refco, the largest independent futures brokerage firm, will also raise the debate that all the detailed oversight and higher audit standards can still miss major corruption, in this case poor due diligence for Refco’s August 2005 IPO.5

Today’s managers face a growing challenge and dilemma in the global thrust to improve governance and compliance, which at its core requires robust internal controls. The dilemma comes in how to comply in a manner that does not punish operational efficiencies and competitiveness. This will be true for privately and publicly held companies throughout the globe and even for nonprofit institutions. Down to the U.S. state level (California’s AB 1386 protects individual identities) and at federal government agency level (US OMB’s A-128 applies SOX to federal agencies), compliance initiatives will become role models bound to spread to other U.S. states, local government agencies, and international governments.

The good news in global compliance efforts is the acceptance of COSO-like standards to improve internal controls. Improved internal controls are at the core of almost all compliance regulations. Though a healthy debate continues between the use of voluntary guidelines versus compulsory regulations, there is widespread acceptance for the need to improve internal controls using the Committee of Sponsoring Organizations (COSO) definition and approach. COSO used a commonsense approach to internal controls, which includes defining and categorizing the criticality of business processes, the risks associated with business processes, and the means to mitigate risks. The mitigation process includes assigning its owners, and then testing, auditing, and certifying the adequacy of controls.

We will begin with an introduction to SOX, which is technically called the Public Company Accounting Reform and Investor Protection Act of 2002. SOX was sponsored by Senator Paul Sarbanes (Democrat–Maryland), then chairman of the Committee on Banking, Housing and Urban Affairs in the Senate, and Representative Michael Oxley (Republican–Ohio), the Financial Services Committee chair in the House. It passed the Senate unanimously, won easy approval in the House, and President Bush signed it into law on July 30, 2002. The internal control provisions went into effect for larger companies in 2004. Smaller companies and foreign filers are given more time, with deadlines pushed from July 2005 to July 2007.

The SEC has delivered several final rulings defining its SOX interpretation. Based on the final rulings, the intent is to expand rather than to limit the reach of the act. William H. Donaldson, the former chairman of the SEC, made it clear in his September 2003 testimony, that SOX is essential in restoring investor confidence by providing transparency in financial reporting. He summarized the events of the 1990s and made an ominous comparison with the events of 1929: “The low points in this story are now household names, not just Enron, but also WorldCom, Tyco, Adelphia, and others. There was other serious misconduct as well, including in the once-celebrated IPO market, which in too many cases lacked both fairness and integrity. The cost of this corner cutting to investors has been enormous. While thankfully we have not witnessed the same intensity of human suffering that came with the depression of the 1930s, the most recent downturn in the market directly affected many more investors than the 1929 market crash, because many more individuals had much more of their savings invested in the stock market.”6

We will provide a more detailed look at SOX Sections 401, 404, 406, and 409 and then discuss the impact of SOX on small and foreign filers, privates, and nonprofits. This will be followed by an overview of SOX-like legislation coming to U.S. federal agencies, Australia, Canada, and the UK. We will include a discussion of efforts to improve internal controls in the following industries: health (HIPPA), banking (GLB and Basel II), and insurers (Solvency II). The movement to create principles-based guidelines by the OECD and global Generally Accepted Accounting Principles (GAAP) by the IFRS will be compared to SOX and U.S. GAAP. The impact on outsourcing will include an explanation of the Statement on Auditing Standards No. 70 (SAS 70) audit process. The civil and criminal penalties for noncompliance will demonstrate the major changes brought about by the U.S. corporate scandals. Best practices in internal controls will be offered that include several case studies and the role technology can play in automating compliance. Finally, we will provide a cost versus benefits analysis. This text is designed to be an introductory guide and handbook for professionals in information technology (IT), operations, finance, and supply chain. It may be helpful to internal and external auditors but is not designed to provide a framework for the audit process. It may help regulators as a high-level overview of the many compliance and governance initiatives underway throughout the world. Finally, it may also be helpful to investors who seek to evaluate the merits of the compliance initiatives in mitigating risks in companies, industries, and regions they are considering.

Note: Throughout the text we have used auditing examples and case studies around the procure-to-pay (P2P) process since it is typically well understood by accounting, operations, and IT professionals.

Anthony Tarantino

April 2006

1John Emshwiller, “Opening the Books,” Wall Street Journal, October 17, 2005.

2Becky Bright, “Investors Are Skeptical of Success of Sarbanes-Oxley, Poll Finds,” Wall Street Journal/Harris On Line Poll, October, 14, 2005.

3Becky Bright, “Investors Are Skeptical of Success of Sarbanes-Oxley, Poll Finds,” Wall Street Journal/Harris On Line Poll, October, 14, 2005.

4Michael Gormley, “Gangbuster to Governor? New York’s Attorney General Starts Down a Familiar Path,” Associated Press, Sunday, June 13, 2004.

5Julie Johnsson, “Chicago’s Grant Thornton Sued Over Refco Scandal,” Chicago Business, Oct. 13, 2005.

6Testimony Concerning Implementation of the Sarbanes-Oxley Act of 2002, by William H. Donaldson, Chairman U.S. Securities and Exchange Commission. Before the Senate Committee on Banking, Housing and Urban Affairs, September 9, 2003, http://www.sec.gov/news/testimony/090903tswhd.htm.

ACKNOWLEDGMENTS

The author gratefully acknowledges the following individuals for their invaluable input and expertise:

Koti Ancha, MSIE, Six Sigma Black Belt, Senior Program Manager, Supply Chain Strategy, Seagate Technology, Scotts Valley, CA. For assistance in providing case studies and general editing.

Mark Stebelton, CPA, Senior Program Manager, Compliance Softwares and SOX SME, Logical Apps, Irvine, CA. For sharing expertise, specifically regarding SAS 70.

Holly Tran, CISSP, CISM, MSEE, Manager, BearingPoint. For system security and compliance practice support.

Greg Henzel, MBA, Manager, BearingPoint. For contributions to mapping the following standards: COSO, ERM, and PCAOB.

Richard Marti, Manager, BearingPoint. For contributions to mapping the following standards: COSO, ERM, and PCAOB.

Shirley Cui, MSCS. For indexing and general editing support.

Chapter 1

U.S. SOX Section 401: Off-Balance Sheet Arrangements

INTRODUCTION1

Christopher Cox replaced William Donaldson as SEC Chairman in 2005. Since assuming his chairmanship, Cox has advocated a rethinking of regulations, arguing that they are overly complex and this complexity is partly to blame for the accounting scandals of the 1990s. Maybe the best evidence of this is the convoluted and confusing regulations and guidance around off-balance sheet (OBS) arrangements. This chapter will detail the current state of the U.S. regulations. It appears that the current regulations invite abuse and misunderstanding, and do not assure investors that Enron-type abuses are a thing of the past.

Section 401 of the Sarbanes-Oxley Act of 2002 requires the listing of off-balance sheet (OBS) arrangements, transactions, and obligations (including contingent obligations) that may have a material effect, current or future, on financial conditions, changes in financial results in operations, liquidity capital expenditures, capital resources, or significant components or revenues or expenses. The SEC final ruling requires the disclosure of “the nature and business purpose of the OBS arrangements, why and how they are needed in running a business.” For those wondering why this is an area of concern, a one-word explanation should suffice—Enron. It was Enron’s horrible abuse, and Arthur Andersen’s blessing such OBS arrangements, that led to the most infamous and globally recognized scandal in a generation.

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!